Penetration Testing mailing list archives

Re: Physical Security - Pen Test

From: Neo <security () spacerat ch>
Date: Tue, 31 Mar 2009 12:03:53 +0200

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hack the lock at the backdoor of the company, school, whatever, in the
night. The physical door, and you are in. Every further security is
disabled this way. If access cards are used, you may want to steal one.
Other approach is to use brute force against the physical door, or other
ways of lockpicking.

Often backup tapes are not physically protected, or at the chiefs home,
floating around unsecured. Always a good way to get data. Or you may
want to get access to an employees home PC and use his VPN connection.
Management employees home pcs are most likely to be less secured than
technical staff emplyee ones.

You mean "pentest" if you already have physical access? In which case
every pentest is futile, because you can reboot the machine with an
prepared linux, windows, whatever cd, usb stick and reset the admin/root
password. Or simply take the data on harddiscs with you.

Or simplay fake a visitcard from a telephone guy, wear a working suite,
and let them take to their server rooms. Normally the office girls are
really dumb. Especially the blonde ones ;o)

my 2 cents

Neo

THIS IS NOT A INVOCATION/REQUEST/CALL TO DO ILLEGAL THINGS. JUST
POSSIBILITIES YOU MAY WANT TO CONSIDER. IN EVERY CASE YOU WILL NEED THE
WRITTEN OK FROM THE MANAGEMENT BEFORE BEGINNING PENTESTS. PHYSICAL OR NOT!!

iadcc schrieb:

Has anybody ever conducted a physical security penetration test? Do you have
a sample test plan you used? I have formulated some Social Engineering tests
we could try but anything else would be useful./

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAknR6ogACgkQDKoGk2jFdgxiWQCgp3fr0WOl6unQVIbLxjPPHKFy
3+8AniDk6h/4gQu4fKSv9IXEPh8uGBOX
=DgQO
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

No time or budget for traveling to a training course in this fiscal year? Check out the online penetration testing 
courses available at InfoSec Institute. More than a boring "talking head", train in our virtual labs for a total 
hands-on training experience. Get the certs you need as well: CEH, CPT, CEPT, ECSA, LPT. 

http://www.infosecinstitute.com/request_online_training.html
------------------------------------------------------------------------

Current thread:

Re: Physical Security - Pen Test Neo (Apr 03)
- <Possible follow-ups>
- Re: Physical Security - Pen Test M.D.Mufambisi (Apr 03)
  - RE: Physical Security - Pen Test Shenk, Jerry A (Apr 03)
- Re: Physical Security - Pen Test Marco Ivaldi (Apr 03)